BGP Extended Access-List Filtering

ReneMolenaar · April 30, 2018, 8:32pm

Hi Walid,

I just labbed this up again and I’m getting the same RIB failures. If you enable a debug, you can see the reason:

R1#debug ip routing 
IP routing debugging is on

This shows up when you clear the routing table or clear the BGP neighbor adjacency:

RT: rib validate nexthop return code: 3
RT: rib validate nexthop return code: 3
RT: rib validate nexthop return code: 3

Return code 3 means the prefix is filtered because of an access-list. This one got me scratching my head for a bit…

The weird thing is, the access-list seems to be correct. They use the exact same example here:

After some tests, it seems that R1 denies the next hop IP address. If you add a statement like this:

R1(config)#access-list 100 permit ip host 192.168.12.2 any

Then it works:

R1#show ip bgp
BGP table version is 4, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   20.0.0.0         192.168.12.2             0             0 2 i
 *>   172.16.0.0/24    192.168.12.2             0             0 2 i
 *>   192.168.1.0      192.168.12.2             0             0 2 i

You can see it in the debug too:

R1#clear ip route *

RT: updating bgp 20.0.0.0/8 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 20.0.0.0/8 via 192.168.12.2, bgp metric [20/0]

RT: updating bgp 172.16.0.0/24 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 172.16.0.0/24 via 192.168.12.2, bgp metric [20/0]

RT: updating bgp 192.168.1.0/24 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 192.168.1.0/24 via 192.168.12.2, bgp metric [20/0]

And a match on the access-list:

R1#show access-lists 
Extended IP access list 100
    10 permit ip host 20.0.0.0 host 255.0.0.0 (3 matches)
    20 permit ip host 172.16.0.0 host 255.255.255.0 (3 matches)
    30 permit ip host 192.168.1.0 host 255.255.255.0 (3 matches)
    40 permit ip host 192.168.12.2 any (9 matches)

It’s strange and this doesn’t seem to be documented. Anyway, after adding it, it works.

Rene